git-id-switcher-v0.19.4

What's Changed

• revert: remove Legitify integration — upstream rejects fine-grained PATs (v0.19.4) by @nullvariant in #474

Full Changelog: git-id-switcher-v0.19.3...git-id-switcher-v0.19.4

git-id-switcher-v0.19.3

What's Changed

• feat(security): add Legitify SCM posture audit by @nullvariant in #472
• fix(security): pin Legitify to post-v1.0.11 main SHA, distribute badge (v0.19.3) by @nullvariant in #473

Full Changelog: git-id-switcher-v0.19.2...git-id-switcher-v0.19.3

git-id-switcher-v0.19.2

What's Changed

• chore(deps): Bump @types/node from 25.5.2 to 25.6.0 in the dev-dependencies group across 1 directory by @dependabot[bot] in #464
• chore(deps): Bump the production-dependencies group across 1 directory with 2 updates by @dependabot[bot] in #465
• chore(deps): Bump the github-actions group with 4 updates by @dependabot[bot] in #466
• chore(deps): Bump softprops/action-gh-release from 2.6.1 to 3.0.0 by @dependabot[bot] in #467
• chore(deps): Bump actions/github-script from 8.0.0 to 9.0.0 by @dependabot[bot] in #468
• fix(git-id-switcher): replace broken Snyk badge with static shield by @nullvariant in #470

Full Changelog: git-id-switcher-v0.19.1...git-id-switcher-v0.19.2

What's Changed

• chore(deps): Bump @types/node from 25.5.2 to 25.6.0 in the dev-dependencies group across 1 directory by @dependabot[bot] in #464
• chore(deps): Bump the production-dependencies group across 1 directory with 2 updates by @dependabot[bot] in #465
• chore(deps): Bump the github-actions group with 4 updates by @dependabot[bot] in #466
• chore(deps): Bump softprops/action-gh-release from 2.6.1 to 3.0.0 by @dependabot[bot] in #467
• chore(deps): Bump actions/github-script from 8.0.0 to 9.0.0 by @dependabot[bot] in #468
• fix(git-id-switcher): replace broken Snyk badge with static shield by @nullvariant in #470

Full Changelog: git-id-switcher-v0.19.1...git-id-switcher-v0.19.2

git-id-switcher-v0.19.1

What's Changed

• fix(git-id-switcher): replace broken Marketplace badge with Open VSX version badge by @nullvariant in #469

Full Changelog: git-id-switcher-v0.19.0...git-id-switcher-v0.19.1

git-id-switcher-v0.19.0

What's Changed

• refactor(errors): split validation types into dedicated module by @nullvariant in #403
• test(errors): add cross-OS getSafeStack path sanitization tests by @nullvariant in #404
• refactor(webview): extract pure HTML template functions for testability by @nullvariant in #405
• fix(ui): escape Markdown special characters in tooltip user values by @nullvariant in #406
• docs: add GOVERNANCE.md by @nullvariant in #407
• test(e2e): improve identityManager.test.ts assertion quality by @nullvariant in #408
• docs: cross-link root-level documents and improve discoverability by @nullvariant in #409
• test: add branch coverage tests by @nullvariant in #411
• refactor(ui): derive AddFormState from Identity and remove GenericQuickPick by @nullvariant in #412
• feat(security): add Allstar policy configuration by @nullvariant in #413
• chore(deps): update step-security/harden-runner action to v2.16.1 by @renovate[bot] in #415
• chore(deps): update restyled-io/actions action to v4.4.19 by @renovate[bot] in #414
• chore(security): add Snyk policy to exclude test false positives by @nullvariant in #416
• docs(git-id-switcher): add Snyk badge by @nullvariant in #417
• docs: reorder and expand security badges by @nullvariant in #419
• docs: remove unlinked service badges by @nullvariant in #420
• feat: add npm namespace placeholder for git-id-switcher by @nullvariant in #422
• fix: normalize repository.url in npm placeholder package by @nullvariant in #423
• docs: add FOSSA integration to SECURITY.md by @nullvariant in #424
• ci(dco): add DCO enforcement workflow by @nullvariant in #425
• docs(readme): add FOSSA License and Security badges by @nullvariant in #426
• docs(readme): add Socket.dev static badge by @nullvariant in #427
• fix(readme): correct Socket.dev badge link URL by @nullvariant in #428
• feat(ci): add CI-gated PR auto-approval to Justice bot by @nullvariant in #430
• fix: replace console.log/debug with OutputChannel-based extensionLogger by @nullvariant in #431
• refactor(security): separate log path validation into secureLogPath.ts by @nullvariant in #432
• fix(ci): replace gh pr review with gh api for checkout-free approval by @nullvariant in #433
• chore(coverage): enforce c8 coverage thresholds via .c8rc.json by @nullvariant in #434
• refactor(logging): add disposed guard to ExtensionLogger by @nullvariant in #438
• fix(ci): exclude dependabot commits from DCO check by @nullvariant in #439
• chore(deps): Bump the dev-dependencies group with 2 updates by @dependabot[bot] in #435
• chore(deps): Bump typescript-eslint from 8.57.2 to 8.58.0 in the production-dependencies group by @dependabot[bot] in #436
• fix(ci): allow SonarSource/sonarqube-scan-action in dependency review by @nullvariant in #440
• chore(deps): Bump SonarSource/sonarqube-scan-action from 7.0.0 to 7.1.0 in the github-actions group by @dependabot[bot] in #437
• refactor(logging): consolidate console.error/warn to extensionLogger by @nullvariant in #441
• refactor(test): improve assertion quality in errors.test.ts by @nullvariant in #442
• refactor(test): move toFieldError tests to validation-types.test.ts by @nullvariant in #443
• refactor(security): harden toFieldError defensive design by @nullvariant in #444
• refactor(test): extract shared env save/restore helper by @nullvariant in #445
• fix(git-id-switcher): improve Webview HTML template CSS/a11y by @nullvariant in #446
• refactor(git-id-switcher): extract buildHtmlShell helper by @nullvariant in #447
• refactor(git-id-switcher): scope webview body overrides by class and expand design tokens by @nullvariant in #448
• ci(dco): exclude renovate[bot] from DCO check by @nullvariant in #451
• chore(deps): update dependency python to 3.14 by @renovate[bot] in #450
• ci(deps): allow restyled-io sub-actions in dependency review by @nullvariant in #452
• chore(deps): update restyled-io/actions action to v4.4.20 by @renovate[bot] in #449
• security(git-id-switcher): harden webview CSP and add fail-safe fallback by @nullvariant in #453
• refactor(git-id-switcher): narrow webview fallback catch to CspValidationError by @nullvariant in #454
• security(git-id-switcher): SanitizedHtml branded type for buildDocumentHtml content by @nullvariant in #455
• fix(git-id-switcher): Webview template a11y improvements by @nullvariant in #456
• feat(git-id-switcher): defense-in-depth nonce/lang validation at buildHtmlShell by @nullvariant in #457
• refactor(git-id-switcher): split htmlTemplates into a directory and tighten shell trust boundary by @nullvariant in #458
• refactor(git-id-switcher): split shell.ts into types/csp/baseStyles/shell modules by @nullvariant in #459
• security(git-id-switcher): externalize linkInterceptScript and add href scheme allowlist by @nullvariant in #460
• refactor(git-id-switcher): narrow htmlTemplates ESLint exception to csp.ts only by @nullvariant in #461
• security(git-id-switcher): tighten CSP img-src from wildcard to explicit subdomain by @nullvariant in #462
• refactor(git-id-switcher): design tokens round two — body tokens + pad→size rename by @nullvariant in #463

Full Changelog: git-id-switcher-v0.18.0...git-id-switcher-v0.19.0

git-id-switcher-v0.18.0

What's Changed

• chore(deps): Bump typescript-eslint from 8.57.0 to 8.57.1 in the production-dependencies group by @dependabot[bot] in #368
• feat(ci): add dependency safety review to Justice-bot by @nullvariant in #369
• test: add temporary Justice-bot test workflow by @nullvariant in #371
• chore: remove temporary Justice-bot test workflow by @nullvariant in #373
• fix(ci): remove checkout from Justice-bot to resolve Scorecard alert by @nullvariant in #374
• feat(ci): add code quality review to Slow-bot by @nullvariant in #375
• feat(ci): add PR review to Mimi, Luna, Blaze, and Ciel bots by @nullvariant in #376
• feat(ci): add JSON Schema for zoo bot rule files by @nullvariant in #377
• fix(ci): add GH_REPO env to all zoo bot review jobs by @nullvariant in #379
• fix(ci): fix printf invalid option error in Ciel-bot by @nullvariant in #381
• fix(deps): bump flatted 3.4.1 to 3.4.2 by @nullvariant in #382
• chore(deps): Bump eslint from 10.0.3 to 10.1.0 in the dev-dependencies group by @dependabot[bot] in #383
• feat(ci): zoo bots respond to all PRs including workflow-only changes by @nullvariant in #385
• chore(deps): Bump the github-actions group with 5 updates by @dependabot[bot] in #384
• chore(deps): migrate typescript to v6 by @nullvariant in #387
• chore(deps): Bump picomatch from 4.0.3 to 4.0.4 by @dependabot[bot] in #388
• fix(deps): patch picomatch, yaml, brace-expansion vulnerabilities by @nullvariant in #389
• fix(deps): patch GHSA-f886-m6hf-6m8v and GHSA-qj8w-gfj5-8c6v by @nullvariant in #390
• chore(ci): migrate R2 deploy target from nullvariant-assets to kura by @nullvariant in #391
• chore(lint): add no-duplicate-imports ESLint rule by @nullvariant in #392
• fix(security): resolve infinite recursion risk in SecurityError.getSafeStack() by @nullvariant in #393
• fix(security): webview HTML escape defense-in-depth by @nullvariant in #394
• fix(security): mask SSH key path and GPG key ID in status bar tooltip by @nullvariant in #395
• refactor(validation): unify UI and identity layer validation as SSoT by @nullvariant in #396
• refactor(ui): split identityManager.ts into 4 modules by @nullvariant in #401
• chore(deps): Bump typescript-eslint from 8.57.1 to 8.57.2 in the production-dependencies group by @dependabot[bot] in #397
• chore(deps): Bump the github-actions group with 4 updates by @dependabot[bot] in #399
• chore(deps): Bump eslint-plugin-unicorn from 63.0.0 to 64.0.0 by @dependabot[bot] in #398
• chore(deps): Bump codecov/codecov-action from 5.5.3 to 6.0.0 by @dependabot[bot] in #400
• perf(identity): add validation cache and remove deprecated aliases by @nullvariant in #402

Full Changelog: git-id-switcher-v0.17.1...git-id-switcher-v0.18.0

git-id-switcher-v0.17.1

What's Changed

• docs(git-id-switcher): add Sync Check docs to 24 language READMEs by @nullvariant in #366
• fix(git-id-switcher): revert engines.vscode to ^1.85.0 by @nullvariant in #367

Full Changelog: git-id-switcher-v0.17.0...git-id-switcher-v0.17.1

git-id-switcher-v0.17.0

What's Changed

• feat(git-id-switcher): add sync checker engine by @nullvariant in #358
• feat(git-id-switcher): add status bar sync warning and resolution flow by @nullvariant in #359
• feat(git-id-switcher): add event-driven sync check, settings, and i18n by @nullvariant in #360
• fix(ci): replace trivy-action with direct GitHub Releases download by @nullvariant in #361
• fix(ci): add release-assets domain to egress allowlist by @nullvariant in #362
• fix(ci): use ghcr.io for Trivy vulnerability DB by @nullvariant in #363
• fix(ci): add raw.githubusercontent.com to egress by @nullvariant in #364
• fix(ci): add timestamp.sigstore.dev to egress by @nullvariant in #365

Full Changelog: git-id-switcher-v0.16.22...git-id-switcher-v0.17.0

git-id-switcher-v0.16.22

What's Changed

• ci: add OpenSSF Scorecard score threshold gate by @nullvariant in #339
• fix(ci): separate Scorecard threshold into its own job by @nullvariant in #340
• ci: add automated weekly VEX update workflow by @nullvariant in #341
• ci: add reproducible builds verification workflow by @nullvariant in #342
• ci: add VEX dependency review for Dependabot/Renovate PRs by @nullvariant in #343
• fix(ci): allow restyled-io/actions AGPL-3.0 in dependency review by @nullvariant in #345
• chore(deps): Bump the github-actions group across 1 directory with 4 updates by @dependabot[bot] in #346
• security(git-id-switcher): add Bidi detection and SSH key basename exact matching by @nullvariant in #347
• security(git-id-switcher): remove ssh-add -D and add log config validation by @nullvariant in #348
• ci(git-id-switcher): harden publish pipeline and npm audit strategy by @nullvariant in #350
• security(git-id-switcher): add O_NOFOLLOW symlink protection to log writer by @nullvariant in #349
• security(git-id-switcher): harden binary resolver (MEDIUM-3/4/6) by @nullvariant in #351
• security(git-id-switcher): add prototype pollution defense and unify os.homedir() by @nullvariant in #352
• security(git-id-switcher): add rate limiter to security logger (LOW-14) by @nullvariant in #353
• docs(git-id-switcher): ESLint exec ban, JSDoc, and security docs update (INFO-16/17) by @nullvariant in #354
• fix(security): harden document fetch with byte-length validation by @nullvariant in #355
• fix(security): add email address and PII command argument masking by @nullvariant in #356
• security(git-id-switcher): remove unsafe-inline from CSP style-src by @nullvariant in #357

Full Changelog: git-id-switcher-v0.16.21...git-id-switcher-v0.16.22

git-id-switcher-v0.16.21

What's Changed

• fix(ci): resolve Semgrep false positive on SonarCloud Action SHA pin by @nullvariant in #337
• docs: add Sigstore/SBOM badges, fix Semgrep Scorecard regression by @nullvariant in #338

Full Changelog: git-id-switcher-v0.16.20...git-id-switcher-v0.16.21